You story is hard to follow.
Many Internet Service Providers do require a password to start the point to point protocol. But once established, the hardware does the authentication. Having the user use a password does little nor nothing to prevent scampers and com artists from trying to pull one over on you.
As a rule, beware of any phone call, e-mail or other communication that tells you do something other contrary to what instruction you already received. If in doubt, tell them you are busy at the moment, but leave the 800 number (tool free) so you can will call back. That will stop them. With the 800 number you can find out who they really are. They don't like that. Unless it is a real company.